Caso Schrems

This post is also available in: Español

The Schrems case marks one of the most talked about privacy cases in Europe in recent years. A new chapter was added a few days ago with the publication of the Advocate General’s Conclusions in Case C-311/18.

In its Decision 200/520, the European Commission ruled that the principles of safe harbor provided in the decision guarantee an adequate level of protection for personal data transferred from the European Union to entities established in the United States. However, after the first case brought by Maximillian Schrems in relation to personal data transferred by Facebook Ireland to Facebook Inc., in the United States, the Court of Justice of the European Union (CJEU), declared the decision null in its Judgment of October 6, 2015.

The proceedings before the Irish oversight authority continued, now taking into account the invalidity of the decision on safe harbor. Facebook countered that its personal data transfer agreement was based on standard contractual clauses on transferring personal data to third countries established by the European Commission in its Decision 2010/87. Maximillian Schrems reformulated his claim, arguing that the standard contractual clauses should be ruled invalid because they do not allow interested parties to invoke their rights in the United States.

This matter was also submitted to the CJEU for preliminary ruling, with Advocate General Saugmandsgaard Øe recently issuing an opinion. The main question before the CJEU in this second episode of the Schrems case is whether Decision 2010/87, which established the standard contractual clauses for data transfers to third countries, is valid.

The Advocate General’s main conclusions were:

  • EU law applies to personal data transfers to third countries when the transfer is part of a commercial activity, regardless of whether the recipient country’s authorities also process the data for national security purposes.
  • The GDPR seeks a high level of protection when transferring data to third countries, and this can be done both (i) through an adaptation decision that ensures that the national legislation of the country to which the data is being transferred offers sufficient guarantees, as was the case in the now extinct Decision 200/250; and (ii) by means of guarantees from the data exporter─as is the aim of adopting standardized contractual clauses─although both mechanisms are equally valid for ensuring compliance with the GDPR.
  • Since the data processor must suspend or prohibit personal data transfers to third countries when there is a conflict between the standard contractual clauses and the national law of the country in question, the advocate general found that Decision 2010/87 is compatible with the EU Charter of Fundamental Rights.

There is also a 2016 Decision by the European Commission establishing the new privacy shield for personal data transfers to the United States, which replaces the safe harbor declared invalid in the first judgment on the Schrems case. While the case does mention the privacy shield, the advocate general found that the decision on its validity is not part of this case, and that the CJEU should not have to rule on it.

Therefore, if the court upholds the advocate general’s conclusions, then personal data transfers from the European Union to the United States are legitimately covered under the standard contractual clauses, provided they are fully applicable in view of the national law in question. However, given the twists and turns in the case, it would be no surprise to see a third Schrems case in the future that might call the current privacy shield into question.

This post is also available in: Español

Autores:

Consejero

45 artículos

Alejandro Negro

alejandro.negro@cuatrecasas.com

Prácticas

13 artículos



ines.cabanas@cuatrecasas.com